Update: Apple is pushing a new security update to remove these webservers too.
The Mac webcam hijack flaw discovered in the Zoom video conference app is also present in RingCentral and Zhumu.
The evidence also suggests that the same vulnerability will exist in other Mac video conferencing apps …
Security researcher Jonathan Leitschuh, who discovered the issue in Zoom, speculated that the Mac webcam hijack vulnerability was likely present in RingCentral too. Fellow researcher Karan Lyons has now confirmed this.
RingCentral (and Zhumu, and likely all of Zoom’s white labels) are vulnerable to another, slightly different, RCE. They are not automatically removed by Apple.
As TNW notes, this is because both apps use the same underlying code.
Both RingCentral and Zhumu are powered by Zoom, with the former used by over 350,000 organizations. Zhumu, on the other hand, is essentially a Chinese version of the app, which Zoom bought in 2013.
A ‘white label’ app is essentially a complete copy of an established app, but rebranded for a client company. It has a different name and may have a slightly different user interface, but because the core code is the same, it will generally have the same vulnerabilities as the original.
As Lyons notes, Zhumu is not the only white label version of Zoom, so there are likely other Mac videoconferencing apps out there with the same flaw.
The problem is that the apps create a local webserver which runs in the background, and persists even after the app itself is removed. If you click on a weblink (which may be disguised as a link to something innocuous), it activates your webcam and joins you to the video conference.
Apple’s update only removes the webserver created by Zoom itself.
RingCentral has issued an emergency patch.
RingCentral has issued an update to RingCentral Meetings that resolves the General Concern, “Video ON Concern” on MacOS, CVE 2019-13449 and CVE 2019-13450.
Users will be prompted to download RingCentral Meetings MacOS app v7.0.151508.0712.
All users that have installed RingCentral Meetings on MacOS should accept the update. Please ensure that all RingCentral Meetings MacOS versions prior to v7.0.151508.0712 are removed.
RingCentral is continuing to work on addressing the General Concern related to “Video ON Concern” for additional platforms. We will continue to provide updates.
There’s no known patch as yet for the Mac webcam hijack flaw in Zhumu. However, Lyons has provided a set of three Terminal commands which will kill and remove the webservers, and prevent them being reinstalled.
To remove the three currently known daemons manually, run these commands in your Terminal:rm -rf ~/.zoomus; touch ~/.zoomus && chmod 555 ~/.zoomus; pkill "ZoomOpener" rm -rf ~/.ringcentralopener; touch ~/.ringcentralopener && chmod 555 ~/.ringcentralopener; pkill "RingCentralOpener" rm -rf ~/.zhumuopener; touch ~/.zhumuopener && chmod 555 ~/.zhumuopener; pkill "ZhumuOpener"
These three commands do the same thing for the three most popular white labels of Zoom (Zoom, RingCentral, and Zhumu). They remove the web server if it exists at the hidden directory , and create an empty file and set permissions on it such that the hidden server cannot be reinstalled back to that location. Finally they kill the server if it is running.
Lyons notes that while Apple’s own update addresses Safari, things get more complicated if you use Chrome or Firefix as your default browser.
If you’re using Safari on macOS you’re now good to go. However if you’re using any other browser (even on other operating systems) you may still see a link immediately open Zoom for you. This is not the same vulnerability (no RCE), and is in fact one you yourself opted into, though you may not have realized it. This will occur if you ever checked a box on a pop-up window for a Zoom meeting link that said something like “Always open these links in Zoom”.
She provides instructions for dealing with these browsers.
Physical webcam covers are looking like an increasingly smart idea.